b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nBriefing Report\n\n\n\n\n       Self-reported Data Unreliable for\n       Assessing EPA\xe2\x80\x99s Computer\n       Security Program\n       Report No. 10-P-0058\n\n       February 2, 2010\n\x0cReport Contributors:                           Rudolph M. Brevard\n                                               Cheryl Reid\n                                               Vincent Campbell\n                                               Warren Brooks\n                                               Christina Nelson\n                                               Sabrena Stewart\n                                               Dave Cofer\n                                               Anita Mooney\n\n\n\n\nAbbreviations\n\nAC           Access Control\nASSERT       Automated System Security Evaluation and Remediation Tracking\nAU           Audit and Accountability\nC&A          Certification and Accreditation\nCM           Configuration Management\nEPA          U.S. Environmental Protection Agency\nFIPS         Federal Information Processing Standards\nFY           Fiscal Year\nIV&V         Independent Validation and Verification\nMA           Maintenance\nNIST         National Institute of Standards and Technology\nOIG          Office of Inspector General\nPOA&Ms       Plans of Action and Milestones\n\x0c                       U.S. Environmental Protection Agency \t                                             10-P-0058\n                                                                                                    February 2, 2010\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                          Catalyst for Improving the Environment\n\n\nWhy We Did This Review           Self-reported Data Unreliable for Assessing\nWe sought to determine           EPA\xe2\x80\x99s Computer Security Program\nwhether the U.S.\nEnvironmental Protection          What We Found\nAgency (EPA) implemented\nmanagement control processes     The oversight and monitoring procedures for ASSERT provide limited assurance\nfor maintaining the quality of   the data are reliable for assessing EPA\xe2\x80\x99s computer security program. As a result:\ndata in the Automated System\nSecurity Evaluation and              \xe2\x80\xa2 Unsubstantiated responses for self-reported information contribute to data\nRemediation Tracking                   quality problems.\n(ASSERT) system.                     \xe2\x80\xa2 Limited independent reviews and lack of follow-up inhibit EPA\xe2\x80\x99s ability to\n                                       identify and correct data inaccuracies.\nBackground                           \xe2\x80\xa2 Independent reviews lack coordination with certification and accreditation\n                                       activities.\nEPA uses the ASSERT online           \xe2\x80\xa2 Information security personnel believe they need more training on how to\ntool to gather information             assess security controls and feel pressure to answer system security\nregarding testing and                  questions in a positive manner.\nevaluating Agency                    \xe2\x80\xa2 Limited internal reporting on required security controls and missing\ninformation systems, and               information in security plans inhibit external reporting.\ntracking progress made in\nfixing identified security        Further, incomplete security documentation raises concerns as to whether the\nweaknesses. EPA also uses         ASSERT application contractor is meeting federal requirements.\nASSERT to generate reports\nprovided to the Office of\n                                  What We Recommend\nManagement and Budget\npursuant to the Federal\n                                 We recommend that the Assistant Administrator for Environmental Information\nInformation Security\n                                 issue a memorandum to Assistant Administrators and Regional Administrators\nManagement Act.\n                                 emphasizing the importance of ensuring personnel accurately assess and report\n                                 information in ASSERT.\n\nFor further information,\n                                 We also recommend that the Director, Office of Technology Operations and\ncontact our Office of            Planning, integrate ongoing independent reviews with the Agency\xe2\x80\x99s Certification\nCongressional, Public Affairs    and Accreditation process, provide periodic training on how to assess and\nand Management at                document required minimum security controls, expand the Agency\xe2\x80\x99s security\n(202) 566-2391.\n                                 reporting process to include collecting information on all required minimum\nTo view the full report,         security controls, and implement a process to verify that Agency security plans\nclick on the following link:     incorporate all the minimally required system security controls.\nwww.epa.gov/oig/reports/2010/\n20100202-10-P-0058.pdf           The Agency agreed with all of our findings and recommendations.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n                                                                                    OFFICE OF\n                                                                               INSPECTOR GENERAL\n\n\n\n\n                                        February 2, 2010\n\nMEMORANDUM\n\nSUBJECT:\t             Self-reported Data Unreliable for Assessing\n                      EPA\xe2\x80\x99s Computer Security Program\n                      Report No. 10-P-0058\n\n\nFROM:\t                Rudolph M. Brevard\n                      Director, Information Resources Management Assessments\n\nTO:\t                  Linda Travers\n                      Acting Assistant Administrator for Environmental Information and\n                      Acting Chief Information Officer\n\n                      Vaughn Noga\n                      Acting Director, Office of Technology Operations and Planning\n\n\nThis is our report on the subject audit conducted by the Office of Inspector General (OIG) of the\nU.S. Environmental Protection Agency (EPA). This report contains findings that describe the\nproblems the OIG has identified and corrective actions the OIG recommends. This report\nrepresents the opinion of the OIG and does not necessarily represent the final EPA position.\nFinal determinations on matters in this report will be made by EPA managers in accordance with\nestablished audit resolution procedures.\n\nWe sought to determine whether EPA has a mechanism to monitor the quality of self-reported\ninformation systems security data. In particular, we assessed to what extent EPA:\n\n   \xe2\x80\xa2\t Implemented an organizational structure for monitoring data quality in the Automated\n      System Security Evaluation and Remediation Tracking (ASSERT) system.\n   \xe2\x80\xa2 Implemented policies and procedures for managing data quality internally.\n   \xe2\x80\xa2 Conducted follow-up activities to ensure responsible officials correct weaknesses.\n   \xe2\x80\xa2\t Implemented procedures to ensure that the ASSERT contractor adheres to federal \n\n      information security requirements. \n\n\x0c                                                                                          10-P-0058\n\n\nWe conducted this audit between January 2008 and September 2009, at EPA Headquarters in\nWashington, DC, in accordance with generally accepted government auditing standards issued\nby the Comptroller General of the United States. These standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions.\n\nWe reviewed information entered in ASSERT as of September 2007. This information\nrepresented EPA offices\xe2\x80\x99 self-reported compliance status with National Institute of Standards\nand Technology (NIST) information systems security controls, as part of the Fiscal Year 2007\nFederal Information Security Management Act evaluation. Appendix A provides the federal\ncriteria used for this review and a description of ASSERT modules.\n\nWe randomly selected 5 NIST security controls and 51 EPA systems in ASSERT that had Fiscal\nYear 2007 self-reported compliance information. We reviewed the information to determine\nwhether it agreed with the details in the respective systems\xe2\x80\x99 security plan. Appendix B contains\nthe list of EPA systems extracted from ASSERT and our methodology and summary of results.\nAppendix C contains the description of each NIST-reviewed security control.\n\nWe surveyed Agency information security personnel who completed the ASSERT Fiscal Year\n2007 self-assessments for the reviewed systems. We solicited information on the quality of\nAgency-provided training and guidance to complete the annual security control self-assessments.\nWe also solicited information as to whether the annual self-assessments added value in helping\nthem protect and evaluate their respective information security programs and whether there was\nundue pressure by management to answer the self-assessment questions.\n\nThe estimated cost of this report \xe2\x80\x93 calculated by multiplying the project\xe2\x80\x99s staff days by the\napplicable daily full cost billing rates in effect at the time \xe2\x80\x93 is $511,930.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days. You should include a corrective actions plan for agreed-upon\nactions, including milestone dates.\n\nWe would like to thank your staff for their cooperation. We have no objections to the further\nrelease of this report to the public. This report will be available at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact me at (202) 566-0893\nor brevard.rudy@epa.gov; or Vincent Campbell, Project Manager, at (202) 566-2540 or\ncampbell.vincent@epa.gov.\n\x0cSelf-reported Data Unreliable for\nAssessing EPA\xe2\x80\x99s Computer\nSecurity Program\n\n        Results of Review\n\n\n\n\n               10-P-0058            1\n\x0c    Audit Methodology\n\xc2\x84   Reviewed self-reported system security information entered in the Automated\n    System Security Evaluation and Remediation Tracking (ASSERT) system as of\n    September 2007.\n\n\xc2\x84   Reviewed EPA\xe2\x80\x99s organizational structure responsible for managing the quality\n    of data in the ASSERT system.\n\n\xc2\x84   Evaluated self-reported system security information for 51 EPA systems.\n    Reviewed information for compliance with five required National Institute of\n    Standards and Technology (NIST) security controls.\n\n\xc2\x84   Surveyed Agency information security personnel who entered the self-reported\n    system security information into ASSERT. Solicited opinions on the quality of\n    training, guidance, and management support for self-reporting system security\n    information.\n\n\xc2\x84   Evaluated EPA procedures used to ensure the ASSERT contractor adheres to\n    federal system security guidance.\n\n\n\n                                        10-P-0058                                  2\n\x0cNoted Accomplishments\n\nIn response to Office of Inspector General audit, EPA\xe2\x80\x99s Computer\nSecurity Self-Assessment Needs Improvement, Report No. 2003-P-\n00017, September 30, 2003, Office of Environmental Information:\n\xc2\x84   Updated the ASSERT application to include a test and an implement control\n    feature.\n\n\xc2\x84   Developed and implemented an independent verification and validation\n    process to monitor and evaluate self-assessment responses in ASSERT.\n\n\xc2\x84   Developed and implemented technical vulnerability assessment lab\n    methodology to evaluate authentication and identification controls.\n\n\xc2\x84   Issued an Agency-wide memorandum stipulating all security plans must be\n    prepared in compliance with NIST.\n\n\n\n\n                                     10-P-0058                                3\n\x0cFinding 1\n\n\n\n   Better Data Quality Processes Needed to Improve\n   Accuracy of Self-reported Data\n\n\n\n\n                     10-P-0058                       4\n\x0cBetter Data Quality Processes Needed to \n\nImprove Accuracy of Self-reported Data\n\nUnsubstantiated Responses for Self-reported System Security\nInformation Contribute to Data Quality Problems\n\xc2\x84   Only 17% (71 of 408) of self-reported ASSERT entries had supporting\n    information in security plans.\n\n\xc2\x84   Unsubstantiated responses resulted from EPA offices:\n    \xc2\x89 Entering ASSERT data based on institutional knowledge rather than\n      information documented in the security plan.\n\n    \xc2\x89   Preparing the security plans in a general manner that did not include\n        specific details on how each security control is implemented.\n\n    \xc2\x89   Using risk assessment results that did not fully test NIST security\n        controls.\n\n\n                                       10-P-0058                                5\n\x0cBetter Data Quality Processes Needed to \n\nImprove Accuracy of Self-reported Data\n\nLimited Independent Validation & Verification (IV&V) and Lack of\nFollow-up Inhibit EPA\xe2\x80\x99s Ability to Identify and Correct Data\nInaccuracies\n\xc2\x84   From Fiscal Year (FY) 2005 through 2007, 15 IV&V assessments were\n    conducted - (9% of the 171 systems tracked in ASSERT).\n\n\xc2\x84   No requirement for EPA offices to enter Plans of Action and Milestones\n    (POA&Ms) in ASSERT for unresolved IV&V findings.\n\n\xc2\x84   EPA offices not required to provide documentation to EPA\xe2\x80\x99s Technology and\n    Information Security Staff to support steps taken to resolve findings.\n\n\n\n\n                                    10-P-0058                                6\n\x0cBetter Data Quality Processes Needed to \n\nImprove Accuracy of Self-reported Data\n\nIV&V Program Lacks Coordination With Certification & \n\nAccreditation (C&A) Activities\n\n\xc2\x84   IV&V Process:\n       \xc2\x89 Takes place after EPA offices complete security activities associated\n         with authorizing their system for operation.\n\n       \xc2\x89   Does not focus on whether EPA offices designed planned security\n           activities according to applicable guidance and executed the plans\n           as planned.\n\n       \xc2\x89   Lacks method to assist system owners in designing and executing\n           C&A activities consistent with federal guidance.\n\n       \xc2\x89   Does not identify and track identified weaknesses along with\n           corrective actions.\n\n\n\n                                      10-P-0058                                  7\n\x0cOIG Recommendation\nDirector, Office of Technology Operations and Planning should:\n\n1-1\t Develop and implement an assessment process that integrates\n     independent reviews with the Agency\xe2\x80\x99s Certification and Accreditation\n     process. The newly structured assessment process should focus more on\n     ensuring EPA offices (a) plan and execute security activities required to\n     authorize system operations, and (b) complete security activities that\n     comply with federal and Agency guidance. The newly structured process\n     should also ensure EPA offices create Plans of Action and Milestones for\n     any identified weaknesses. The newly structured process should also\n     track identified weaknesses and ensure EPA offices retain documentation\n     that supports the remediation of all identified weaknesses.\n\n\n\n\n                                    10-P-0058                                8\n\x0cEPA\xe2\x80\x99s Response to Briefing\n\nEPA indicated it would perform the following actions:\n\n\xc2\x84   Implement a quality review process along with establishing an interagency\n    agreement to improve the quality of the C&A products and reporting of\n    POA&Ms.\n\n\xc2\x84   Hire an information security person to manage POA&Ms based on results\n    from internal and external reviews.\n\n\xc2\x84   Adopt a manual escalation procedure to the Senior Information Official to\n    remediate unresolved POA&Ms. This process is expected to be automated\n    using a new C&A tool (Telos Xacta). The automated process will help\n    eliminate arbitrary date shifts and permit storage of C&A artifacts. ASSERT\n    will be modified to facilitate these activities.\n\n\xc2\x84   Increase the IV&V review to cover 10% of the Agency\xe2\x80\x99s information systems\n    along with full coverage of all financial systems and the associated general\n    support systems.\n\n\n\n                                      10-P-0058                                    9\n\x0cFinding 2\n\n\n\n   Better Guidance and Management Support Needed to\n   Foster Accurate Security Reporting\n\n\n\n\n                    10-P-0058                         10\n\x0cBetter Guidance and Management Support \n\nNeeded to Foster Accurate Security Reporting\n\nNot Properly Assessing Security Controls Contributes to Invalid\nData in ASSERT\nSurvey responses regarding the level of training, guidance, and management\nsupport for self-reporting system security information disclosed:\n\n\n\xc2\x84   68% of respondents believed they had not been educated on how to fully\n    assess the NIST 800-53 security controls in ASSERT. Some respondents\n    are confused about how to assess controls when there are shared\n    responsibilities between the general support system and major applications,\n    or between Headquarters and regional offices. Respondents stated that\n    Agency personnel typically refer them to NIST policies for guidance, instead\n    of providing direct assistance when there is uncertainty about how to assess\n    a security control within the ASSERT application.\n\n\n\n\n                                    10-P-0058                                11\n\x0cBetter Guidance and Management Support\nNeeded to Foster Accurate Security Reporting\nNot Properly Assessing Security Controls Contributes to Invalid \n\nData in ASSERT (Continued)\n\n\xc2\x84   47% of respondents believed more training is needed when EPA introduces\n    newer versions of ASSERT. Respondents indicated that ASSERT has gone\n    through numerous changes and updates that have contributed to a longer\n    learning curve. Respondents believe EPA could have done a better job in\n    communicating system changes, providing notice when training would be\n    given, and scheduling training in advance of critical ASSERT due dates.\n\n\xc2\x84   68% of respondents felt pressured to answer system security questions in\n    ASSERT in a positive way, even in situations where a specific security\n    control had not been properly tested and implemented. Some respondents\n    believe that the emphasis is on EPA maintaining an \xe2\x80\x9cA\xe2\x80\x9d rating on the federal\n    information security scorecard. Some respondents felt the lack of resources\n    and time constraints led them to view providing self-reported system security\n    information as a \xe2\x80\x9ccheck-the-box\xe2\x80\x9d exercise, with the emphasis on using the\n    ASSERT application instead of assessing security.\n\n\n                                     10-P-0058                                 12\n\x0cOIG Recommendations\n\n\nDirector, Office of Technology Operations and Planning should:\n\n2-1 \tProvide periodic training (at least quarterly and during the annual Security\n     Conference) on how to assess and document the implementation of\n     minimum security controls as required by NIST guidance.\n\n\nAssistant Administrator for Environmental Information and Chief Information\nOfficer should:\n\n2-2 \tIssue a memorandum to Assistant and Regional Administrators to\n     emphasize the importance of ensuring personnel accurately assess and\n     report security information in the ASSERT system.\n\n\n\n\n                                     10-P-0058                                  13\n\x0c    EPA\xe2\x80\x99s Response to Briefing\n\nEPA indicated it would take the following actions:\n\n\xc2\x84    Implement quarterly training sessions on the C&A activities.\n\n\xc2\x84    Implement a 3-day hands-on \xe2\x80\x9croad show\xe2\x80\x9d with Agency system staff to review\n     specific information security packages and associated POA&Ms.\n\n\xc2\x84    Implement a mandatory review of all draft and new NIST documents via\n     Quick Place and discuss how the documents apply to EPA.\n\n\xc2\x84    Negotiate a baseline and refresher role-based training course as part of the\n     Agency\xe2\x80\x99s Information Security Training, Education and Awareness curriculum\n     for C&A.\n\n\xc2\x84    Prepare a memorandum from the Chief Information Officer on the importance\n     of accurately assessing and reporting security information in the ASSERT\n     system.\n\n\n\n\n                                        10-P-0058                               14\n\x0cFinding 3\n\n\n\n   EPA Not Fully Reporting the Status of Its Security\n   Program\n\n\n\n\n                      10-P-0058                         15\n\x0cEPA Not Fully Reporting the Status of Its \n\nSecurity Program\nLimited Internal Reporting on Required Information System\nSecurity Controls Inhibits External Reporting\n\n\xc2\x84   EPA offices evaluated and provided self-reported information on only 24%\n    (41 of 171) of the required NIST controls as part of the Agency\xe2\x80\x99s annual\n    review of its information security program.\n\n\xc2\x84   Evaluation excluded all security controls associated with the (1) Media\n    Protection, and (2) System and Communications Protection security\n    categories.\n\n\n\n\n                                     10-P-0058                                 16\n\x0cEPA Not Fully Reporting the Status of Its \n\nSecurity Program\nMissing Information in Security Plans Fosters Incomplete\nReporting on EPA\xe2\x80\x99s Security Program\n\n\xc2\x84   EPA offices lacked the information needed to answer system security\n    questions.\n       \xc2\x89 EPA offices lacked up-to-date security plans. 80% of reviewed\n           security plans had not been updated since NIST issued the first\n           revision of Special Publication 800-53, Recommended Security\n           Controls for Federal Information Systems, in December 2006.\n\n       \xc2\x89   Only 2 of the 10 reviewed security plans documented all the NIST\n           security controls.\n\n\n\n\n                                     10-P-0058                                17\n\x0cOIG Recommendations\n\nDirector, Office of Technology Operations and Planning should:\n\n 3-1 \tExpand the Agency\xe2\x80\x99s annual system security self-reporting process to\n      include collecting information on all NIST minimum required system\n      security controls.\n\n 3-2 \tImplement a process to verify that Agency security plans incorporate\n      all the minimum required system security controls as prescribed by\n      NIST. This process should include establishing a target date by which\n      the Agency security plans will comply with the current NIST guidance.\n\n\n\n\n                                    10-P-0058                                 18\n\x0cEPA\xe2\x80\x99s Response to Briefing\n\n\nEPA indicated it would take the following actions:\n\n\xc2\x84   Procure a new C&A Tool (Telos Xacta). Once implemented, the tool will\n    require all C&A artifacts to be published, stored and maintained.\n\n\xc2\x84   Implement a quality review process for C&A activities and newly published\n    NIST documents.\n\n\xc2\x84   Develop an Agency governance board to ensure newly issued federal\n    requirements are implemented in a timely fashion.\n\n\n\n\n                                     10-P-0058                                  19\n\x0cFinding 4\n\n\n\n   ASSERT Application Needs Security Planning\n\n\n\n\n\n                    10-P-0058                    20\n\x0cASSERT Application Needs Security Planning\n\nIncomplete Security Documentation Raises Concerns Whether the\nASSERT Application Contractor is Meeting Federal Requirements\n\n\n\xc2\x84   ASSERT application security plan does not comply with federal security\n    requirements. The security plan lacks specific information on how the\n    required NIST security controls were implemented for three of the five\n    reviewed areas.\n\n\xc2\x84   ASSERT application lacks an approved contingency plan.\n\n\n\n\n                                   10-P-0058                                 21\n\x0cEPA\xe2\x80\x99s Response to Briefing\n\nBased on our audit, EPA took the following actions:\n\n\xc2\x84   Updated the ASSERT C&A packages in accordance with applicable NIST\n    guidance.\n\n\xc2\x84   Updated and approved the ASSERT Contingency Plan in accordance with\n    applicable NIST guidance.\n\n\n\n\n                                    10-P-0058                             22\n\x0c                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                                 POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                               BENEFITS (in $000s)\n\n                                                                                                                     Planned\n    Rec.    Page                                                                                                    Completion   Claimed    Agreed To\n    No.      No.                          Subject                         Status1         Action Official              Date      Amount      Amount\n\n    1-1       8     Develop and implement an assessment process             O           Director, Office of\n                    that integrates independent reviews with the                    Technology Operations and\n                    Agency\xe2\x80\x99s Certification and Accreditation process.                       Planning\n                    The newly structured assessment process should\n                    focus more on ensuring EPA offices (a) plan and\n                    execute security activities required to authorize\n                    system operations, and (b) complete security\n                    activities that comply with federal and Agency\n                    guidance. The newly structured process should\n                    also ensure EPA offices create Plans of Action and\n                    Milestones for any identified weaknesses. The\n                    newly structured process should also track\n                    identified weaknesses and ensure EPA offices\n                    retain documentation that supports the remediation\n                    of all identified weaknesses.\n\n    2-1      13     Provide periodic training (at least quarterly and       O           Director, Office of\n                    during the annual Security Conference) on how to                Technology Operations and\n                    assess and document the implementation of                               Planning\n                    minimum security controls as required by NIST\n                    guidance.\n\n    2-2       13    Issue a memorandum to Assistant and Regional            O        Assistant Administrator for\n                    Administrators to emphasize the importance of                    Environmental Information\n                    ensuring personnel accurately assess and report                 and Chief Information Officer\n                    security information in the ASSERT system.\n\n    3-1      18     Expand the Agency\xe2\x80\x99s annual system security self-        O           Director, Office of\n                    reporting process to include collecting information             Technology Operations and\n                    on all NIST minimum required system security                            Planning\n                    controls.\n\n    3-2       18    Implement a process to verify that Agency security      O           Director, Office of\n                    plans incorporate all the minimum required system               Technology Operations and\n                    security controls as prescribed by NIST. This                           Planning\n                    process should include establishing a target date\n                    by which the Agency security plans will comply with\n                    the current NIST guidance.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                23 \n\n\x0c                                                                                    10-P-0058\n\n\n                                                                                Appendix A\n\n   Audit Criteria and Description of ASSERT Modules\nApplicable Federal Guidance\n\n   \xe2\x80\xa2\t Federal Information Processing Standards (FIPS) 200, Minimum Security Requirements\n      for Federal Information and Information Systems, specifies minimum security\n      requirements for information and information systems supporting the executive agencies\n      of the Federal Government.\n   \xe2\x80\xa2\t NIST 800-18, Guide for Developing Security Plans for Information Systems, states that\n      system security plans should provide a thorough description of how minimum security\n      controls are being implemented or planned to be implemented.\n   \xe2\x80\xa2\t NIST 800-34, Contingency Planning Guide for Information Technology Systems,\n      provides instructions, recommendations, and considerations for Information Technology\n      Systems contingency planning. Contingency planning contains interim measures to\n      recover IT services following an emergency or system disruption.\n   \xe2\x80\xa2\t NIST 800-53, Recommended Security Controls for Federal Information Systems,\n      provides guidance to federal agencies implementing FIPS 200. The 17 security control\n      families in NIST 800-53 are closely aligned with the 17 security-related areas in FIPS\n      200 for protecting federal information.\n\nDescription of ASSERT System Modules\n\nASSERT contains three modules: (1) Security Self-Assessments, (2) Remediation Tracking, and\n(3) System Categorization.\n\nThe ASSERT system security self-assessment module is based on NIST 800-53. The electronic\nentry of the responses to the assessment and EPA-established goals will automatically create\nPOA&Ms to remediate vulnerabilities identified in the assessment.\n\nThe ASSERT remediation module electronically creates an EPA-established standardized\napproach for developing POA&Ms that respond to weaknesses developed by assessment or\nsecurity reviews. POA&M tasks can be automatically generated by the self-assessment process\nor entered manually for tasks generated by other sources.\n\nASSERT systems are categorized based on the system\xe2\x80\x99s needed level of confidentiality,\nintegrity, and availability, as explained in FIPS 199 guidelines.\n\n\n\n\n                                              24 \n\n\x0c                                                                                                 10-P-0058\n\n\n                                                                                             Appendix B\n\n                              OIG Analysis of Results\nWe selected the following five system-specific security controls to determine whether the system\xe2\x80\x99s\nsecurity plans fully supported the self-assessments, as reported in EPA\xe2\x80\x99s ASSERT.\n\nTechnical Controls                                 Operational Controls\n(AC-2)    Account Management                       (CM-5) Configuration Management: Access\n                                                            Restriction for Change\n(AC-13)     Supervision and Review                 (MA-2) Maintenance: Controlled Maintenance\n(AU-2)      Auditable Events\nSource: OIG compiled data based on security controls selected from NIST Special Publication 800-53.\n\nAppendix C contains the description of the security controls and the associated enhancements\nreviewed.\n\nWe reviewed 408 data entries associated with these security controls. Only 17 percent (71 of 408)\nof the ASSERT data entries were supported by systems security plans.\n\nAssessment Methodology\n\nThe security controls we reviewed were unique to the 51 systems listed in the following table.\nEach security control evaluated had to receive a passing grade of \xe2\x80\x9cYes\xe2\x80\x9d in order for the\ncomparative analysis between the ASSERT data and security plan to receive a cumulative passing\ngrade. Any security control that received a nonpassing grade of \xe2\x80\x9cNo\xe2\x80\x9d would result in a cumulative\nnonpassing grade. We did not project any errors to EPA\xe2\x80\x99s universe of systems in ASSERT,\nbecause our sample was not statistically selected.\n\nThe base control and enhancements are indicated in the following table by the following\nabbreviations:\n\n        BC - Base control \n\n        E1 - Enhancement 1 \n\n        E2 - Enhancement 2 \n\n        E3 - Enhancement 3 \n\n        E4 - Enhancement 4 \n\n\n\n\n\n                                                    25 \n\n\x0c                                                                                                                                10-P-0058\n\n\n  The information below identifies the 51 systems selected from ASSERT as part of this audit and the results of our analysis.\n                                                           Did the system security plan support the FY2007 self-assessment in\n                                                           EPA\xe2\x80\x99s ASSERT database?\nSystem      System                 Program or Regional                AC-2                 AC-13     AU-2      CM-5           MA-2\nCategory    Name                   Office                  BC E1 E2 E3 E4 BC E1                       BC     BC E1 BC E1 E2\n\nHigh        NAREL Radiation        Office of Air and        N     N          N   N   N   N     N       N      N     N     N      N    N\n            Network                Radiation\nModerate    EEONet                 Office of the            N     N          N   N   -   N      -      N      N     -     N      N     -\n                                   Administrator\n            Energy Star            Office of Air and        Y     Y          Y   N   -   Y      -     N       Y     -     Y      Y     -\n                                   Radiation\n            LNS                    Office of Air and        N     N          N   N   -   N      -     N       N     -     N      N     -\n                                   Radiation\n            OAR LAN- 1310          Office of Air and        N     N          N   N   -   N      -     N       N     -     N      N     -\n                                   Radiation\n            Federal Retirement     Office of                N     N          N   N   -   N      -     N       N     -     N      N     -\n            Benefits Calculator    Administration and\n                                   Resources Management\n            Grants Information     Office of                N     N          N   N   -   N      -     N       N     -     N      N     -\n            Control System         Administration and\n                                   Resources Management\n            Budget Automation      Office of Chief          N     Y          N   Y   -   N      -      N      N     -     N      N     -\n            System                 Financial Officer\n            Contract Payment       Office of Chief          N     N          N   N   -   N      -      Y      N     -     Y      Y     -\n            System                 Financial Officer\n            Financial Data         Office of Chief          N     N          N   N   -   N      -     N       N     -     N      N     -\n            Warehouse              Financial Officer\n            PeoplePlus             Office of Chief          Y     N          Y   N   -   Y      -     Y       Y     -     N      N     -\n                                   Financial Officer\n            NEIC LAN               Office of Enforcement    Y     Y          Y   N   -   Y      -     Y       Y     -     N      N     -\n                                   Compliance and\n                                   Assurance\n            OECA LAN               Office of Enforcement    N     N          N   N   -   N      -     N       N     -     N      N     -\n                                   Compliance and\n                                   Assurance\n\n\n\n\n                                                                      26 \n\n\x0c                                                                                                                                10-P-0058 \n\n\n\n\n\n                                                                      Did the system security plan support the FY2007 self-assessment in\n                                                                      EPA\xe2\x80\x99s ASSERT database?\nSystem     System                  Program or Regional                          AC-2               AC-13      AU-2     CM-5         MA-2\nCategory   Name                    Office                             BC E1 E2 E3 E4 BC E1                     BC    BC E1 BC E1 E2\n\n           Waste International     Office of Enforcement               N       Y   N   N   -    Y     -     N      N    -   N     N     -\n           Tracking System         Compliance and Assurance\n           AAA Remote Access       Office of Environmental             N       N   N   N   -    N     -     N      N    -   N     N     -\n           System                  Information\n           Active Directory        Office of Environmental             N       N   N   N   -    N     -     N      N    -   N     N     -\n                                   Information\n           Automated System        Office of Environmental             Y       N   Y   Y   -    N     -     Y      Y    -   N     N     -\n           Security Evaluation     Information\n           and Remediation\n           Tracking\n           Enterprise Server       Office of Environmental             N       N   N   N   -    N     -     N      Y    -   N     N     -\n                                   Information\n           EPA Enterprise Portal   Office of Environmental             N       N   N   N   -    N     -     N      N    -   N     N     -\n                                   Information\n           Internet Operations     Office of Environmental             N       N   N   N   -    N     -     N      N    -   N     N     -\n           and Maintenance and     Information\n           Enhancements\n           Remedy                  Office of Environmental             N       N   N   N   -    N     -     N      Y    -   N     N     -\n                                   Information\n           SRA Arlington           Office of Environmental             Y       Y   Y   Y   -    Y     -     Y      Y    -   Y     Y     -\n                                   Information\n           Shared Services         Office of Environmental             N       N   N   N   -    N     -     N      N    -   N     N     -\n                                   Information\n           WebForms                Office of Environmental             N       N   N   N   -    N     -     N      N    -   N     N     -\n                                   Information\n           OGC Local Area          Office of General Counsel           N       N   N   Y   -    N     -     N      N    -   N     N     -\n           Network\n           Office of Pesticide     Office of Prevention, Pesticides    N       Y   N   N   -    N     -     N      N    -   N     N     -\n           Programs Information    and Toxic Substances\n           Network\n           OPP LAN                 Office of Prevention, Pesticides    N       N   N   N   -    N     -     Y      N    -   N     N     -\n                                   and Toxic Substances\n\n\n                                                                        27 \n\n\x0c                                                                                                                                 10-P-0058 \n\n\n\n                                                                       Did the system security plan support the FY2007 self-assessment in\n                                                                       EPA\xe2\x80\x99s ASSERT database?\nSystem     System                   Program or Regional                          AC-2               AC-13      AU-2     CM-5         MA-2\nCategory   Name                     Office                             BC E1 E2 E3 E4 BC E1                     BC    BC E1 BC E1 E2\n\n           OPPT Admin LAN           Office of Prevention, Pesticides    N       N   N   N   -    N     -     N      N    -   N     N     -\n                                    and Toxic Substances\n           OPPT CBI LAN             Office of Prevention, Pesticides    N       N   N   N   -    N     -     N      N    -   N     N     -\n                                    and Toxic Substances\n           Office of Research and   Office of Research and              N       N   N   N   -    N     -     N      N    -   N     N     -\n           Development              Development\n           Management Info\n           Office of Research and   Office of Research and              N       N   N   N   -    N     -     N      N    -   N     N     -\n           Development RTP          Development\n           GSS\n           SRMP                     Office of Solid Waste and           N       N   N   N   -    N     -     N      N    -   N     N     -\n                                    Emergency Response\n           OGWDW LAN                Office of Water                     N       N   N   N   -    N     -     N      N    -   N     N     -\n           Container\n           OWOW LAN                 Office of Water                     Y       Y   Y   Y   -    Y     -     Y      Y    -   N     Y     -\n           Container\n           STORET                   Office of Water                     N       Y   Y   Y   -    N     -     N      N    -   N     N     -\n           Region 2 LAN             Region 2                            Y       N   N   N   -    N     -     Y      N    -   N     N     -\n           Region 4 LAN             Region 4                            N       N   N   N   -    N     -     Y      N    -   N     N     -\n           GSSP for R5 USEPA        Region 5                            N       N   N   N   -    N     -     N      N    -   N     N     -\n           Region 7 LAN             Region 7                            N       N   N   N   -    N     -     N      Y    -   N     N     -\n           Region 8 LAN             Region 8                            N       N   N   N   -    N     -     N      N    -   N     N     -\nLow        OTAQ-IO NDS              Office of Air and Radiation         N       -   -   -   -    N     -     N     N/A   -   N     -     -\n           Container-ARB\n           FIFRA/TSCA               Office of Enforcement               Y       -   -   -   -    N     -     N     N/A   -   Y      -    -\n           Tracking Systems         Compliance and Assurance\n           National Compliance\n           Database\n           Laboratory Inspection    Office of Enforcement               N       -   -   -   -    N     -     N     N/A   -   N      -    -\n           and Study Audit          Compliance and Assurance\n           Architecture             Office of Environmental             Y       -   -   -   -    N     -     Y     N/A   -   Y      -    -\n           Repository and Tool      Information\n\n\n\n                                                                         28 \n\n\x0c                                                                                                                             10-P-0058 \n\n\n\n                                                                 Did the system security plan support the FY2007 self-assessment in\n                                                                 EPA\xe2\x80\x99s ASSERT database?\nSystem       System                  Program or Regional                   AC-2               AC-13      AU-2     CM-5         MA-2\nCategory     Name                    Office                      BC E1 E2 E3 E4 BC E1                     BC    BC E1 BC E1 E2\n\n             Toxic Release           Office of Environmental      N        -    -   -   -   N    -        N   N/A   -   N       -    -\n             Inventory-Made Easy     Information\n             Voice over IP           Office of Environmental      Y        -    -   -   -   Y    -        N   N/A   -   Y       -    -\n                                     Information\n             National Homeland       Office of Research and       N        -    -   -   -   N    -        N   N/A   -   N       -    -\n             Security Research       Development\n             Center - CINC\n             Nheerl-Corvallis        Office of Research and       N        -    -   -   -   N    -        Y   N/A   -   Y       -    -\n                                     Development\n             Nheerl-Gulf Breeze      Office of Research and       N        -    -   -   -   N    -        N   N/A   -   N       -    -\n                                     Development\n            Assessment, Cleanup      Office of Solid Waste and    N        -    -   -   -   N    -        Y   N/A   -   N       -    -\n            & Redevelopment          Emergency Response\n            Exchange System\n            Institutional Controls  Office of Solid Waste and     N        -    -   -   -   N    -        Y   N/A   -   N       -    -\n            Tracking System         Emergency Response\nTotal Number of Entries = 408                                    51       40   40   40 1    51   1   51       40    1   51     40 1\n(Total Number of Supportable Entries (denoted with Y) = 71       10       8    7    6 0     7    0   13       9     0   7      4 0\nY = Yes\nN = No\nDash (-) means the enhancement was not a required security control to be evaluated based on the application\xe2\x80\x99s system category.\n\nN/A = Per NIST Special Publication 800-53 Rev. 1, Recommended Security Controls for Federal Information Systems, December\n2006, configuration management (CM-5) access restriction for change is not a required security control to be assessed for \xe2\x80\x9clow-\nimpact\xe2\x80\x9d information systems. Additionally, this security control was not listed as an evaluation control in ASSERT for Agency\nsystems reviewed with a \xe2\x80\x9clow\xe2\x80\x9d system categorization. Therefore, the OIG did not believe it was necessary to conduct audit work\non this security control.\n  Source: OIG-compiled data based on EPA\xe2\x80\x99s ASSERT data and security plans.\n\n\n\n\n                                                                   29 \n\n\x0c                                                                                       10-P-0058 \n\n\n\n                                                                                     Appendix C\n\n\n                               Description of \n\n                         Reviewed Security Controls \n\n\nThe information below provides the description of each base control and the associated control\nenhancements for the applicable system risk categorization. The source for this table is NIST\nSpecial Publication 800-53 Rev. 1, Recommended Security Controls for Federal Information\nSystems, December 2006.\n\n                                 System Risk Categorization\n  Class: Technical                                                     High   Moderate Low\n  Security Control Family: Access Control (AC)\n  AC-2 Account Management:\n\n  Base Control: The organization manages information system             X        X        X\n  accounts, including establishing, activating, modifying,\n  reviewing, disabling, and removing accounts. The organization\n  reviews information system accounts.\n  Control Enhancements:\n  (1) The organization employs automated mechanisms to support          X        X\n  the management of information system accounts.\n\n  (2) The information system automatically terminates temporary\n                                                                        X        X\n  and emergency accounts [Assignment: organization-defined time\n  period for each type of account].\n\n  (3) The information system automatically disables inactive            X        X\n  accounts after [Assignment: organization-defined time period].\n\n  (4) The organization employs automated mechanisms to audit            X        X\n  account creation, modification, disabling, and termination actions\n  and to notify, as required, appropriate individuals.\n\n\n\n\n                                                   30 \n\n\x0c                                                                                  10-P-0058 \n\n\n\n\n\n                                System Risk Categorization\nClass: Technical                                                    High   Moderate Low\nSecurity Control Family: Access Control (AC)\nAC-13 Supervision and Review - Access Control\n\nBase Control: The organization supervises and reviews the            X        X      X\nactivities of users with respect to the enforcement and usage of\ninformation system access controls.\nControl Enhancement: The organization employs automated              X        X\nmechanisms to facilitate the review of user activities.\n\nSecurity Control Family: Audit and\nAccountability (AU)\nAU-2 Auditable Events\n\nBase Control: The information system generates audit records         X        X      X\nfor the following events: [Assignment: organization-defined\nauditable events].\nControl Enhancements:\n(1) The information system provides the capability to compile        X\naudit records from multiple components throughout the system\ninto a systemwide (logical or physical), time-correlated audit\ntrail.\n\n(2) The information system provides the capability to manage the     X\nselection of events to be audited by individual components of the\nsystem.\n\n(3) The organization periodically reviews and updates the list of    X        X\norganization-defined auditable events.\n\n\n\n\n                                                 31 \n\n\x0c                                                                                     10-P-0058 \n\n\n\n\n\n                                System Risk Categorization\nClass: Operational                                        High            Moderate    Low\nSecurity Control Family: Configuration\nManagement (CM)\nCM-5 Access Restriction for Change\n\nBase Control: The organization approves individual access             X      X         N/A\nprivileges and enforces physical and logical access restrictions\nassociated with changes to the information system, and\ngenerates, retains, and reviews records reflecting all such\nchanges.\nControl Enhancement: The organization employs automated               X\nmechanisms to enforce access restrictions and support auditing of\nthe enforcement actions.\n\nSecurity Control Family: Maintenance (MA)\nMA-2 Controlled Maintenance\n\nBase Control: The organization schedules, performs,                   X      X          X\ndocuments, and reviews records of routine preventative and\nregular maintenance (including repairs) on the components of the\ninformation system in accordance with manufacturer or vendor\nspecifications and/or organizational requirements.\nMA-2 Controlled Maintenance\n\nControl Enhancements:\n(1) The organization maintains maintenance records for the            X      X\ninformation system that include: (a) the date and time of\nmaintenance; (b) name of the individual performing the\nmaintenance; (c) name of escort, if necessary; (d) a description of\nthe maintenance performed; and (e) a list of equipment removed\nor replaced (including identification numbers, if applicable).\n\n(2) The organization employs automated mechanisms to schedule         X      X\nand conduct maintenance as required, and to create up-to-date,\naccurate, complete, and available records of all maintenance\nactions, both needed and completed.\n\n\n\n\n                                                  32 \n\n\x0c                                                                                    10-P-0058\n\n\n                                                                                Appendix D\n\n                                    Distribution\n\nOffice of the Administrator\nActing Assistant Administrator for Environmental Information and Chief Financial Officer\nActing Director, Office of Technology Operations and Planning,\n       Office of Environmental Information\nActing Director, Technology and Information Security Staff,\n       Office of Environmental Information\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nAudit Follow-up Coordinator, Office of Environmental Information\nActing Inspector General\n\n\n\n\n                                              33 \n\n\x0c'